[Snort-users] Snort only partially alerting

James Lay jlay at ...13475...
Tue Jun 18 18:13:15 EDT 2013


On 2013-06-18 15:14, Frank Calone wrote:
> I still dont have a fix yet to the problem of Snort only alerting
> occasionally.  I have it setup to look for exe downloads using just 2
> rules.  I have a web site setup to download (not https) an exe
> file.  I decided to run snort in full packet logger mode to see what
> was coming in (/usr/sbin/snort -dev -i p1p1 -l /var/log/snort -h
> x.x.x.x/16).  I immediately started getting the following warning
> messages:
>  
> (snort_decoder) WARNING: IP dgm len > captured len
>  
> I then ran the binary capture thru the snort playback (-dvr option). 
> Looking at the packets tied to my PC, I can see that almost all of
> them have a datagram length of 40.  Very few packets showed up with a
> real payload, certainly not enough to amount to the size of the file 
> I
> downloaded during the testing.  Im not sure if there is a config
> setting or something else going wrong here such that very few packets
> have any real data.  Here is a sample of what I am seeing:
>  
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 06/18-16:20:19.229724 15.0.0.18:62287 [1] -> 212.13.197.229:80 [2]
> TCP TTL:127 TOS:0x0 ID:7467 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x3279955A  Ack: 0xEF27E0F7  Win: 0x4029  TcpLen: 20
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> Frank


Frank,

Try capturing with tshark or tcpdump (use -s 0 for tcpdump to capture 
the full packet.  Then, after capturing, run it through snort with 
something like:

sudo snort -c snort.conf -r bleh.pcap -k none

James




More information about the Snort-users mailing list